If Microsoft DirSync was used to create and synchronize the local AD accounts up to Office 365, remember to disable it prior to using MigrationWiz. KB004336

Note: BitTitan recommend stopping DirSync during migration however I have migrated mailboxes without stopping DirSync. You must not change mail attribute and UPNs of any Active Directory Account during migration phase. You can do it later using PowerShell Cmdlets in bulk.

Set up accounts on Office 365 and assign licenses. These can be created in several ways:

By Microsoft DirSync. Read this very important Knowledge Base article before running Microsoft DirSync, to see if it should be run prior to migration. KB004336

By BitTitan Sync tool. KB004336

Prepare tenant to send and receive large mail items. KB005139

Contact Microsoft to ask to have the tenant EWS throttling limits raised for 60 days. Note: This step is only required if your Source environment will support migration speeds that are faster than the Destination. KB005493

Note: This step can be completed by a re-seller. You must provide company email address (migrationadmin@company.com ) to associate your company with MigrationWiz Portal. This Email Address is the log on details of Migration Admin who will perform the migration task.

Create the customer. KB005421

Create the Source and Destination endpoints. KB005427

Purchase licenses. From your MSPComplete dashboard, click on Purchase > Mailbox Migration > select MigrationWiz-Mailbox and enter the number of licenses you wish to purchase. Check to see if there are any available bundles for discounts (e.g., MigrationWiz-Mailbox and DeploymentPro Bundle). KB004647

Deploy DMA to users. Once DMA has been deployed to users, check the Users tab in MSPComplete. This will be populated with the user accounts that have DMA installed. DMA can be deployed by either of these options:

Via Group Policy Object (GPO). Note: This is the recommended methodology, because no end user interaction is required. KB005412, KB005411

Pre-stage Mailboxes

Create the Mailbox Migration project. KB005070. Create the Mailbox Migration project > Select the customer > Select the Source endpoint > Select the Destination endpoint. Add the accounts (also referred to as “items”) that will be migrated to the project. KB004842

Set the Project Advanced Options. KB004834

Set to use impersonation at the Destination. Checkmark the Use impersonation at Destination box. KB004727

Set Maximum concurrent migrations e.g. 500. If the Source server has enough server resources, set this parameter based on the bandwidth guideline of three (3) mailboxes per 1Mbps of bandwidth. Therefore, for example, if there is a 10Mbps connection, we recommend setting the maximum concurrent migrations parameter to be 30.

Set maximum error to 100.

Set successful and failed migration report to migrationadmin@company.com . Do not send a report to end user. This may cause confusion among users when you run credential checks and run pre-stage.

Note: Since MigrationWiz has full access rights to source email and destination email. There is no need to populate password on the password column.

Run Verify Credentials for all mailboxes. KB004511

Notify users that a migration is occurring. Send email to all users telling them the time and date of the migration.

Pre-Stage pass: Select the users > Click on the Start button from the top, and select Pre-Stage Migration > Under the Migration Scheduling section, from the drop-down list, select 30 days ago > Click on Start Migration. KB004938

If you notice any failed migration, just filter those failed migration> Pause Failed Migration. Select all Paused migration>Pre-stage all paused migration to complete migration simultaneously instead of waiting for migration to complete and retry error.

Final Migration or MX Cutover

MX Record Cutover. Change over MX records on the DNS provider’s portal. Also include the AutoDiscover (CName) setting.

Full (Delta) pass: Select the users > Click on the Start button from the top, select Full Migration > Click on Start Migration. KB004938

Run Retry Errors. KB004658

Look through the user list and click on any red “failed migration” errors. Review information and act accordingly.

If problems persist, contact Support. KB004529

If not using DeploymentPro, users must create new Outlook profiles, and set up their signatures again, and reattach any PST files that were attached to their previous profile.

Click on the pie chart icon in the MigrationWiz dashboard to receive an email containing all the project migration statistics. KB004626

Outlook Client Migration to new Office 365

DeploymentPro Steps

Go to All Products > DeploymentPro and follow the prompts to launch.

Select a customer from the list by clicking on the customer name. Note: The status column will show enabled when a customer account has had DMA deployed. Configure customer DeploymentPro module:

Enter Domain.

Select the Source endpoint.

Checkmark the Auto-populate box.

Note: In the Client Interface Configurations section, upload your company logo and add supporting text. Note: We strongly recommend doing this, because this is the logo and text that end users will see in a desktop pop-up when they are prompted to reconfigure their Outlook profiles. If you do not upload your own logo, the default BitTitan logo will be included instead.

Save and continue.

Activate DeploymentPro module for users.

Either select all users (by checkmarking the box to the left of the Primary Email column heading), or select the individual users (by checkmarking the boxes to the left of the user email addresses). Note: You will need to purchase DeploymentPro licenses for each user that will be using DeploymentPro. KB004647

Click on the Run Module button.

Schedule the profile cutover date.

Set the date and time for the Outlook profile configuration to occur, and click on the Run Module button.

Notes:

The DeploymentPro module will install on user devices immediately, and then run silently until this date.

The profile cutover date should be set to a date and time that is shortly after MX record cutover.

On the profile cutover date, users will be guided through the reconfiguration of their Outlook profile.

Go to Office 365 ECP, Select Recipient, Go to Groups, Create a distribution group and add all users to the distribution group. To find a script to do the job, refer to step3 of post migration section of this article. replace remove-distributiongroupmember to add-distributiongroupmember on the script.

Go to Office 365 ECP, Select Mailflow, Connectors, create an Outbound Send Connector to send email from Office 365 to Your organisation email server. When creating this Connector select the smart host option and on the smart host window, type the Public IP Address or FQDN of MX record of domain.com

Go to Office 365 ECP, Select Mailflow, Rules, create a rule to forward any inbound emails coming to @domain.com and member of special distribution group created in step 4 to be forwarded to the send connector you have created in previous steps 5.

When an Exchange Online mailbox user1@domain send mail to user2@domain.com (On-premises/hosted Gmail), as user2 does not exist at Exchange Online side, and the domain: domain.com set as “Internal Relay” under “Accept domain” configuration, so the message will delivery to on-premises/Gmail through special outbound connector.

Post Migration:

Once you have migrated a batch of mailboxes, you have to remove proxy address and forwarding address from that batch of source mailboxes on the source email domain.

Before you begin, create a work sheet in spreadsheet recording required information to migrate Exchange 2007/2010 to Exchange 2013. For this article, I am going to use following work sheet. This work sheet and migration guide are tested in production exchange migration which I did for few of my clients. Note that this article is not situation specific hence I can’t provide you a silver bullet for your situation.

Deployment Work Sheet

Version Readiness Check

Present Server

Proposed Server

Exchange 2007 SP3 OR 2010 SP3

Exchange 2013 CU3

Exchange Role Assignment

Exchange 2013 has two server roles; the Mailbox and Client Access server roles. You need at least one Client Access server and one Mailbox server in the Active Directory forest. If you’re separating your server roles, Microsoft recommend installing the Mailbox server role first.

Mailbox Role: The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). The Mailbox server handles all activity for the active mailboxes on that server.

Client Access: The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, and SMTP. The Client Access server, a thin and stateless server, doesn’t do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.

Server Name

Exchange Roles

AUPEREXMBX01,AUPEREXMBX02

Mailbox

AUPEREXCAS01,AUPEREXCAS02

CAS

Active Directory Schema and Forest

When you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Additionally, replicating the changes made to your schema may take several hours or days and is dependent on your Active Directory replication schedule. A forced replication can be performed after schema preparation.

Description

AD Forest

Domain Controller

Primary SMTP namespace

Superplaneteers.com

AUPERDC01,AUPERDC02

User principal name domain

Superplaneteers.com

AUPERDC01,AUPERDC02

Legacy Edge Transport

N/A

Network Configuration

Server Name

TCP/IP

DNS

Replication network

AUPEREXMBX01

10.10.10.11

10.10.10.2

10.10.10.3

192.168.100.11/24

AUPEREXMBX02

10.10.10.12

10.10.10.2

10.10.10.3

192.168.100.12/24

AUPEREXCAS01

10.10.10.13

10.10.10.2

10.10.10.3

N/A

AUPEREXCAS02

10.10.10.14

10.10.10.2

10.10.10.3

N/A

The network adapter name used within the operating system of mailbox server must be changed to closely match the associated network name. For example: Domain Network and Replication Network. The following binding order must be maintained within Windows operating systems:

First in Order- Domain adapter connected to the Active Directory network

Second in Order- Replication adapter connected to the heartbeat network.

A public Secure Sockets Layer (SSL) certificate is a prerequisite in Exchange 2013. SSL helps to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection.

You can buy a third-party certificate from public CA such as Verisign. Certificates published by public CAs are trusted by most operating systems and browsers.

Common Name

Subject Alternative

Type

Assigned to

mail.superplaneteers.com

autodiscover.superplaneteers.com

SSL

IIS,SMTP,POP,IMAP

Supported Client

Exchange 2013 supports the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:

Outlook 2013 (15.0.4420.1017)

Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000).

Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000).

Entourage 2008 for Mac, Web Services Edition

Outlook for Mac 2011

Exchange 2013 does not support Outlook 2003.

Public DNS records

DNS record

Record Type

IP/Alias/FQDN

Priority

Mail.superplaneteers.com

A

203.17.x.x

N/A

superplaneteers.com

MX

Mail.superplaneteers.com

10

Autodiscover.superplaneteers.com

CNAME

Mail.superplaneteers.com

N/A

If you have hosted email security then your MX record must look like this. An example is given here for TrendMicro hosted email security.

DNS record

Record Type

IP/Alias/FQDN

Priority

Mail.superplaneteers.com

A

203.17.x.x

N/A

superplaneteers.com

MX

in.sjc.mx.trendmicro.com

10

Autodiscover.superplaneteers.com

CNAME

Mail.superplaneteers.com

N/A

Internal DNS records

DNS record

Record Type

Hardware Load Balancer

VIP or CAS NLB IP

Mail.superplaneteers.com

A

10.10.10.16

Autodiscover.superplaneteers.com

A

10.10.10.16

If you don’t have CAS NLB or hardware load balancer then create Host(A) record of mail.superplaneteers.com and point to Exchange 2013 CAS Server.

Send Connector

Here I am giving an example of TrednMicro smart host. Do not add smart host without proper authorization from smart host provider otherwise you will not be able to send email from internal organisation to external destination.

Intended use

Address Space

Network Settings

Authentication

Smart Host

Internet

“*”

default

Basic, Exchange, TLS

relay.sjc.mx.trendmicro.com

Receive Connector

Name

Intended use

Network Settings

IP Range

Server(s)

Client Frontend

Client

default

All Available IPv4

AUPEREXMBX01

AUPEREXMBX02

Default Frontend

Inbound SMTP

default

All Available IPv4

AUPEREXMBX01

AUPEREXMBX02

Anonymous Relay

Relay

Authentication

Permission

Remote IP

SMTP

Anonymous Relay

TLS, Externally Secured

Anonymous, Exchange Servers

IP Address of Printers, Scanner, Devices, App Server

10.10.10.11

10.10.10.12

Port Forwarding in Cisco Router

Rule

Source Address

Destination Address

NATed Destination

Port

OWA

Any

203.17.x.x

10.10.10.16

443

SMTP

Any

203.17.x.x

10.10.10.16

25

Again if you don’t have CAS NLB or load balancer your NATed destination is Exchange 2013 CAS server.

6. Run the following command in a domain controller, Open command prompt as an administrator

repadmin /showrepl

repadmin /replsummary

repadmin /syncall

netdom query fsmo

Dcdiag /e

Netdiag

7. Open Active Directory Sites and Services MMC, make sure all domain controllers are global catalog.

8. Start Menu, Run, Type eventvwr to open event view, Review event logs to see everything is working as per normal

9. Start Menu, Run> Services.msc to open services, Check DNS server, DNS Client, File replication services are started and set to automatic

10. Open SYSVOL in all domain controllers and check everything is same in all domain controllers.

Now you are ready to prepare Active Directory Domain and Forest.

1. Extract the Exchange2013-x64-cu3.EXE package you have downloaded from Microsoft web site to a common location. In my example I will use E:EXCHANGE2013

2. Open a command prompt as an Administrator, and navigate to the directory in which you extracted the files to. In the case of this example it will be E:Exchange2013. You should see a Setup.exe file located there.

Now replicate Active Directory manually or wait for replication to complete. Verify event logs in Domain controllers to see any unexpected error or logs pops up or not. If everything looks fine then go ahead and install Exchange 2013.

Installing Exchange 2013 CU3

After you have downloaded Exchange 2013 CU2, log on to the computer on which you want to install Exchange 2013.

Navigate to the network location of the Exchange 2013 installation files.

Start Exchange 2013 Setup by right clicking Setup.exe select Run as administrator

On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2013. Select Don’t check for updates right now, you can download and install updates manually later. Click Next to continue.

The Introduction page begins the process of installing Exchange into your organization. Click Next to continue.

On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.

On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send error reports and information about your computer hardware and how you use Exchange to Microsoft. click Next.

On the Server Role Selection page, select both Mailbox role and Client Access role or separate role based on your design. The management tools are installed automatically if you install any other server role.
Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you must install the Windows features manually. Click Next to continue.

On the Installation Space and Location page, click Browse to choose a new location. I strongly recommend you installing Exchange 2013 on a separate partition other then C: drive. Click Next to continue.

On the Malware Protection Settings page, choose whether you want to enable or disable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disable malware scanning, we recommend that you keep it enabled. Click Next to continue.

On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.

On the Completion page, click Finish.

Restart the computer after Exchange 2013 has completed.

Once rebooted log on to Exchange server and review Event Logs in Exchange Server.

Depending on your requirements, you can configure wild card certificate or a SAN certificate. I will go for SAN certificate to avoid further configuration such as certificate principal name configuration. In this example, I will create a SAN certificate which is as follows.

Enter your user name and password in Domainuser name and Password, and then click Sign in.

Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .

In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.

Specify a name for this certificate and then click Next.

If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.

Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.

For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example: CN=mail.superplaneteers.com and SAN=autodiscover.superplaneteers.com

These domains will be used to create the SSL certificate request. Click Next.

Add any additional domains you want included on the SSL certificate.

Select the domain that you want to be the common name for the certificate and click Set as common name. For example, mail.superplaneteers.com. Click Next.

Provide information about your organization. This information will be included with the SSL certificate. Click Next.

Specify the network location where you want this certificate request to be saved. Click Finish.

After you’ve saved the certificate request, submit the request to your certificate authority (CA) which is public CA. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:

On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.

In the certificate request details pane, click Complete under Status.

On the Complete pending request page, specify the path to the SSL certificate file and then click OK.

Select the new certificate you just added, and then click Edit .

On the certificate page, click Services.

Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, SMTP and UM call router if you use these services. Click Save.

If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.

Select the 3rd-party certificate that’s used by Exchange 2010 that matches the host names you’ve configured on the Exchange 2013 server. This must be a 3rd-party certificate and not a self-signed certificate.

Right-click on the certificate and select All Tasks and then Export….

In the Certificate Export Wizard, click Next.

Select Yes, export the private key and click Next.

Make sure Personal Information Exchange – PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.

Select Password and enter a password to help secure your certificate. Click Next.

Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.

You’ll receive a confirmation prompt if the certificate export was successful. Click OK to close it.

Copy the .pfx file you created to your Exchange 2013 Client Access server.

After you’ve exported the certificate from your Exchange 2010 server, you need to import the certificate on your Exchange 2013 server using the following steps.

Enter your user name and password in Domainuser name and Password, and then click Sign in.

Go to Servers > Servers, select the name of the Internet-facing Exchange 2013 Client Access server and then click Edit .

Click Outlook Anywhere.

In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.superplaneteers.com.

While you’re here, let’s also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail. superplaneteers.com.

Type the following comdlets in EMS to find arbitration mailboxes and migrate using migration wizard.

Get-Mailbox –Arbitration >C:Arbitration.txt

Get-Mailbox “*Discovery*” >C:Discovery.txt

In the EAC, go to Recipients > Migration.

Click New , and then click Move to a different database.

On the New local mailbox move page, click Select the users that you want to move, and then click Add .

On the Select Mailbox page, add the mailbox that has the following properties:

The display name is Microsoft Exchange.

The alias of the mailbox’s email address is SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}.

Click OK, and then click Next.

On the Move configuration page, type the name of the migration batch, and then click Browse next to the Target database box.

On the Select Mailbox Database page, add the mailbox database to move the system mailbox to. Verify that the version of the mailbox database that you select is Version 15. x, which indicates that the database is located on an Exchange 2013 server.

Click OK, and then click Next.

On the Start the batch page, select the options to automatically start and complete the migration request, and then click New.

Enable and configure Outlook Anywhere

To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2010 servers in your organization. If some Exchange 2010 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, the following configuration is set on each Exchange 2010 server:

Autodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCP object to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.

You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you’re updating.

Perform the following steps to configure the SCP object on your Exchange 2010 servers.

2. In the New send connector wizard, specify a name for the send connector and then select Custom for the Type. You typically choose this selection when you want to route messages to computers not running Microsoft Exchange Server 2013. Click Next.

3. Choose Route mail through smart hosts, and then click Add . In the Add smart host window, the fully qualified domain name (FQDN), such as relay.sjc.mx.trendmicro.com. Click Save.

4. Under Address space, click Add . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter * to specify that this send connector applies to messages sent to any domain. Click Save.

At this stage, you are ready to configure public DNS record. Update your public DNS record including Hosted Email Security. You only need to configure public DNS if you are changing public IPs and hosted email security otherwise you just have to change the port 443 and port 25 forwarding rule in internal Cisco router in your organization.

You public DNS must look similar to this table.

superplaneteers.com

MX

Mail.superplaneteers.com

mail.superplaneteers.com

A

203.17.x.x (Public IP)

autodiscover.superplaneteers.com

A

203.17.x.x (Public IP)

Request your ISP who provided you 203.17.x.x public IP to create reverse DNS record for mail.superplaneteers.com. This is very important for Exchange to function correctly. When you send email to a destination, many destination server checks reverse DNS. If reverse DNS is wrong you could be banned from sending email to destination server. Note that outlook.com check reverse DNS and SPF records of domain sending email to an outlook address.

Configure TMG/UAG

If you are publishing internet facing Exchange 2013 CAS using TMG or UAG, follow the URL below and publish Outlook Web App and Active Sync.

Enter your user name and password in Domainuser name and Password, and then click Sign in.

Go to Recipients > Migration, click Add and then select Move to a different database.

Under Select the users that you want to move, click Add .

In the Select Mailbox window, select the mailboxes you want to move, click Add and then OK.

Verify that the mailboxes you want to move are listed and then click Next.

Specify a name for the new mailbox move and verify that Move the primary mailbox and the archive mailbox if one exists is selected.

Under Target database, click Browse.

In the Select Mailbox Database window, select a mailbox database on the Exchange 2013 server that you want to move the mailboxes to, click Add and then OK.

Verify that the mailbox database displayed in Target database is correct and then click Next.

Decide which user should receive the mailbox move report once the move is complete. By default, the current user will receive the move report. If you want to change which user receives the report, click Browse and select a different user.

Verify Automatically start the batch is selected.

Decide whether you want to have mailbox moves automatically complete. During the finalization phase, the mailbox is unavailable for a short time. If you choose to complete the mailbox move manually, you can decide when the move is finalized. For example, you might want to finalize the move during off-work hours. Select or clear Automatically complete the migration batch.

In Exchange 2013, public folders were re-engineered using mailbox infrastructure to take advantage of the existing high availability and storage technologies of the mailbox database. Public folder architecture uses specially designed mailboxes to store both the public folder hierarchy and the content. This also means that there’s no longer a public folder database. High availability for the public folder mailboxes is provided by a database availability group (DAG).

There are two types of public folder mailboxes: the primary hierarchy mailbox and secondary hierarchy mailboxes. Both types of mailboxes can contain content:

Primary hierarchy mailbox The primary hierarchy mailbox is the one writable copy of the public folder hierarchy. The public folder hierarchy is copied to all other public folder mailboxes, but these will be read-only copies.

Secondary hierarchy mailboxes Secondary hierarchy mailboxes contain public folder content as well and a read-only copy of the public folder hierarchy.

There are two ways you can manage public folder mailboxes:

In the Exchange admin center (EAC), navigate to Public folders > Public folder mailboxes.

Before you migrate public folder, I would recommend creating new separate mailbox database in Exchange 2013 then start the migration process.

Step1: Perform PerquisitesDownload all four of the Microsoft Exchange 2013 public folder migration scripts and save the script in C:PFScriptsPrerequisites in Exchange 2010 ServerOpen Exchange Management Shell in Exchange 2010 server, run the following cmdlets one by one.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:PFMigrationLegacy_PFStructure.xml

Run the following command to take a snapshot of public folder statistics such as item count, size, and owner
Get-PublicFolderStatistics | Export-CliXML C:PFMigrationLegacy_PFStatistics.xml

Run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -ExpandProperty AccessRights | Export-CliXML C:PFMigrationLegacy_PFPerms.xml

Save the information from the preceding commands for comparison at the end of the migration.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {$_.Name -like “**”} | Format-List Name, Identity

In Exchange 2007, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderDatabase | ForEach {Get-PublicFolderStatistics -Server $_.Server | Where {$_.Name -like “**”}}

If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>

Make sure there isn’t a previous record of a successful migration. If there is, you’ll need to set that value to $false. If the value is set to $true the migration request will fail.
The following example checks the public folder migration status.
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration, PublicFolderMigrationComplete

Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file. This file is used to create the correct number of public folder mailboxes on the Exchange 2013 Mailbox server.
.PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes> <Folder to size map path> <Folder to mailbox map path>

Step3: Create public folder mailboxes on Exchange 2013
Run the following command to create the first public folder mailbox on the Exchange 2013 Mailbox server.
New-Mailbox -PublicFolder <Name> -HoldForMigration:$true –database “Exchange 2013 database”

Run the following command to create additional public folder mailboxes as needed based on the .csv file generated from the PublicFoldertoMailboxMapGenerator.ps1 script.

Legacy system public folders such as OWAScratchPad and the schema-root folder subtree in Exchange 2007 won’t be recognized by Exchange 2013 and will be treated as bad items. This will cause the migration to fail. As part of the migration request, you must specify a value for the BadItemLimit parameter.

Step7: Test Public Folder MigrationRun the following command to assign some test mailboxes to use any newly migrated public folder mailbox as the default public folder mailbox
Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>

Log on to Outlook 2007 or later with the test user identified in the previous step, and then perform the following public folder tests:

Post Migration Check

1. Verify Internal and external DNS records and aliases of autodiscover and mail are pointing to Exchange 2013 CAS server or load balancer VIP or CAS NLB IP. At this stage do not delete Host(A) record of legacy exchange servers until you decommission them.

Now is the time to shutdown legacy exchange servers in your organization and test Exchange 2013 mail flow again. Make sure you shut down the server during working hours and working days. Keep the legacy exchange down for at least 48hrs. To decommission legacy Exchange follow the steps

1. Bring all legacy servers online means power on all servers which were down in previous step.

2. Remove all Public Folder replicas else Public Folder Database will not be removed. To remove public folder replicas, open Exchange Management Console in exchange 2010, Click Tools, Open Public Folder Management Console, Select Default Public Folder, Click properties, Click Replication, Remove exchange 2010 database from replication. Repeat the same for systems public folder.

4. Go to Control Panel to remove Exchange 2007/2010. On Program and Features screen click on Uninstall. On the Maintenance Mode page of the Exchange Server 2007/2010 Setup wizard begins the process of removing your Exchange installation. Click Next to continue.

5. On the Server Role Selection page, uncheck in 2007/2010 all Exchange server roles and Exchange management tools to remove. In Exchange 2007 CCR remove passive node first then follow the same steps on active node. Click next to continue.

6. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page and fix any issues that are preventing Setup from removing exchange 2007/2010. If the checks have completed successfully, click Uninstall to remove the entire installation of Exchange 2007/2010.

7. On the Completion page, click Finish.

8. Verify the setup log files and folder located at c:ExchangeSetupLogs.

9. Uninstall Internet Information Services (IIS) from windows Server 2008 or add/remove program and features in Windows Server 2003.

Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.

Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.

Features worry-free business Features

Component Updates

Device Control

Antivirus/Anti-spyware

Firewall

Web Reputation

URL Filtering

Behavior Monitoring

User Tools

Instant Messaging Content

Filtering

Mail Scan (POP3)

Mail Scan (IMAP)

Anti-Spam (IMAP)

Email Message Content

Filtering

Email Message Data Loss Prevention

Attachment Blocking

TrendMicro Components:

Registration Key

A Registration Key comes with your purchase of Worry-Free Business Security. It has

22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx

Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.

Security Server

At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location

Scan Server

The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Servicefrom Microsoft Management Console.

Downloads scanning-specific components from Trend Micro and uses them to scan clients

The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.

WFBS Ports

WFBS uses the following ports:

• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:

If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications

3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.

4. Click Next. The Setup Type screen appears.

5. From the Setup Type page, choose one of the following options:

Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.

Minimal Install

Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.

6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.

7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).

8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.

9. Click Next. The Select Components page appears.

10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.

Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.

Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.

11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.

12. Click Next. The Computer Prescan page appears.

13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:

Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:

the boot area and boot directory (for boot sector viruses)

the Windows folder

the Program Files folder

Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.

14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:

Internet Information Services (IIS) server

Apache Web server 2.0.xx

15. Click Next. The Web Server Identification page appears.

16. Choose from one of the following server identification options for client-server communication:

Server information – Choose domain name or IP address:

Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.

IP address – Verify that the target server’s IP address is correct.

17. Click Next. The Administrator Account Password page appears.

18. Specify different passwords for the Security Server web console and the Security Agent.

Note: The password field holds 1-24 characters and is case sensitive.

Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.

Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.

User name and Password – Provide these only if the proxy server requires authentication.

24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.

28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:

Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.

Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.

Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.

Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.

Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.

Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.

Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.

Device Control – This regulates access to external storage devices and network resources.

29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.

30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.

When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.

When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.

35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:

If you wish to verify previous installation settings, click Back.

Click Next to proceed with the actual installation.

The Install Third Party Components page appears. This page informs you which third party components will be installed.

36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.

From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.

Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.The computer is added to the Selected Computers list.

Repeat Steps 6-7 if you want to add more computers to the list.

Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.

Installing Agent for Exchange Server

The Messaging Security Agent (MSA) can also be installed from the Web Console.

1. Log on to the Web Console.

2. Click the Security Settings tab, and then click the Add button.

3. Under the Computer Type section, click Microsoft Exchange server.

4. Under Microsoft Exchange Server Information, type the following information:

• Server name: The name of the Microsoft Exchange server to which you want

to install MSA.

• Account: The built-in domain administrator user name.

• Password: The built-in domain administrator password.

5. Click Next. The Microsoft Exchange Server Settings screen appears.

6. Under Web Server Type, select the type of Web server that you want to install on

the Microsoft Exchange server. You can select either IIS Server or Apache Server.

7. For the Spam Management Type, End User Quarantine will be used.

8. Under Directories, change or accept the default target and shared directories for

the MSA installation. The default target and shared directories are C:Program

a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.

Enter your HES Registration Key.

If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.

Select I Accept, then click Submit.

Complete the registration information form.

Specify your OLR logon ID.

Note: The OLR logon ID will also serve as your HES portal login ID.

Click Submit.

The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.

3. Using the provided OLR username and password, log on to the HES console:

If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.

2. Provide the common name, technical contact e-mail address associated with the SSL order,and the image number generated from the Geotrust User Authentication page.

3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.

4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.

5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.

6. Click OK, and then click OK again.

7. Click Next. Click Finish. Click Close.

8. The new setting will take effect after you exit Outlook and open it again.

Step8: Export Certificate from Exchange in .pfx format

The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.

1.Click Start and select Run and tape mmc 2.Click on the File menu and select Add/Remove Snap in3.Click Add, select Certificates among the list of Standalone Snap-in and click Add 4.Choose Computer Account and click Next 5.Choose Local Computer and click Finish 6.Close the window and click OK on the upper window 7.Go to Personal then Certificates 8.Right click, choose All tasks then Import 9.A wizard opens. Select the file holding the certificate you want to import. 10.Then validate the choices by default11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.